[prev in list] [next in list] [prev in thread] [next in thread]
List: clamav-users
Subject: Re: [clamav-users] Pdf.Phishing.CWS4c384287-9890237-0
From: Lilia Gonzalez Medina <liligonz () sourcefire ! com>
Date: 2021-09-10 19:22:55
Message-ID: CANGe6Q9ksxydjvqoM8h5YQ3WNnUxpumx6SvEZB73GZ+J850rBw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hi Dan!
Thank you for bringing this to our attention. From a quick check of some of
the samples alerting with this signature it does seem like it could be
causing FPs. The signature will be dropped for now.
Best regards,
Lilia Gonzalez
Malware Research Team
Cisco Talos
On Fri, Sep 10, 2021 at 12:44 PM <eric-list@truenet.com> wrote:
> Dan,
>
>
>
> You can use sigtool:
>
> #sigtool --find-sigs Pdf.Phishing.CWS4c384287-9890237-0 | sigtool
> --decode-sigs
>
>
>
> Looks like a cmap definition so a definition of character sets to Unicode.
>
> Could definitely be a false positive, send samples to
> https://www.clamav.net/reports/fp
>
>
>
> Sincerely,
>
>
>
> Eric Tykwinski
>
> TrueNet, Inc.
>
> P: 610-429-8300
>
>
>
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> *On Behalf
> Of *Dan Jaap via clamav-users
> *Sent:* Friday, September 10, 2021 12:31 PM
> *To:* clamav-users@lists.clamav.net
> *Cc:* Dan Jaap <djaap@flclerks.com>
> *Subject:* [clamav-users] Pdf.Phishing.CWS4c384287-9890237-0
>
>
>
> Can someone explain what the classification
> "Pdf.Phishing.CWS4c384287-9890237-0" means? I assume it has something to
> do with a link found in a document. However, we've had several of these
> lately and I can't see anything wrong with the documents. We're using
> clamav with OPSWAT Metadefender, integrated into a Web site. Each document
> that is uploaded is scanned by the platform and clamav is the only engine
> finding problems with the documents in question. I have already submitted
> a sample document as a false positive, but have not heard back yet. I was
> hoping to get more info here as to what Pdf.Phishing.CWS4c384287-9890237-0"
> means.
>
>
>
> Here are some details for our clamav environment:
>
> VERSION
>
> 0.102.4-810
>
> DATABASE VERSION
>
> 1631145600
>
> DEFINITION UPDATES
>
> Up to date (up to date )
>
> _______________________________________________
>
> clamav-users mailing list
> clamav-users@lists.clamav.net
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/vrtadmin/clamav-faq
>
> http://www.clamav.net/contact.html#ml
>
[Attachment #5 (text/html)]
<div dir="ltr"><div>Hi Dan!</div><div><br></div><div>Thank you for bringing this to \
our attention. From a quick check of some of the samples alerting with this signature \
it does seem like it could be causing FPs. The signature will be dropped for \
now.</div><div><br></div><div>Best regards,</div><div><br></div><div> <span \
class="gmail-im">Lilia Gonzalez<br> Malware Research Team<br>
Cisco Talos</span>
</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, \
Sep 10, 2021 at 12:44 PM <<a \
href="mailto:eric-list@truenet.com">eric-list@truenet.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div \
style="overflow-wrap: break-word;" lang="EN-US"><div \
class="gmail-m_-7110605112199559991WordSection1"><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpFirst">Dan,<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle"><u></u> <u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">You can use \
sigtool:<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">#sigtool --find-sigs \
Pdf.Phishing.CWS4c384287-9890237-0 | sigtool --decode-sigs<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle"><u></u> <u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">Looks like a cmap definition \
so a definition of character sets to Unicode.<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">Could definitely be a false \
positive, send samples to <a href="https://www.clamav.net/reports/fp" \
target="_blank">https://www.clamav.net/reports/fp</a><u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle"><u></u> <u></u></p><div><p \
class="MsoNormal">Sincerely,<u></u><u></u></p><p class="MsoNormal"><u></u> \
<u></u></p><p class="MsoNormal">Eric Tykwinski<u></u><u></u></p><p \
class="MsoNormal">TrueNet, Inc.<u></u><u></u></p><p class="MsoNormal">P: \
610-429-8300<u></u><u></u></p></div><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle"><u></u> <u></u></p><div><div \
style="border-color:rgb(225,225,225) currentcolor currentcolor;border-style:solid \
none none;border-width:1pt medium medium;padding:3pt 0in 0in"><p \
class="MsoNormal"><b>From:</b> clamav-users <<a \
href="mailto:clamav-users-bounces@lists.clamav.net" \
target="_blank">clamav-users-bounces@lists.clamav.net</a>> <b>On Behalf Of </b>Dan \
Jaap via clamav-users<br><b>Sent:</b> Friday, September 10, 2021 12:31 \
PM<br><b>To:</b> <a href="mailto:clamav-users@lists.clamav.net" \
target="_blank">clamav-users@lists.clamav.net</a><br><b>Cc:</b> Dan Jaap <<a \
href="mailto:djaap@flclerks.com" \
target="_blank">djaap@flclerks.com</a>><br><b>Subject:</b> [clamav-users] \
Pdf.Phishing.CWS4c384287-9890237-0<u></u><u></u></p></div></div><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle"><u></u> <u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">Can someone explain what the \
classification "Pdf.Phishing.CWS4c384287-9890237-0" means? I assume it has \
something to do with a link found in a document. However, we've had several of \
these lately and I can't see anything wrong with the documents. We're using clamav \
with OPSWAT Metadefender, integrated into a Web site. Each document that is \
uploaded is scanned by the platform and clamav is the only engine finding problems \
with the documents in question. I have already submitted a sample document as a \
false positive, but have not heard back yet. I was hoping to get more info here as \
to what Pdf.Phishing.CWS4c384287-9890237-0" means.<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle"><u></u> <u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">Here are some details for our \
clamav environment:<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">VERSION<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">0.102.4-810<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">DATABASE \
VERSION<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">1631145600<u></u><u></u></p><p \
class="gmail-m_-7110605112199559991MsoNormalCxSpMiddle">DEFINITION \
UPDATES<u></u><u></u></p><p class="gmail-m_-7110605112199559991MsoNormalCxSpLast">Up \
to date (up to date )<u></u><u></u></p></div></div><br> \
_______________________________________________<br> <br>
clamav-users mailing list<br>
<a href="mailto:clamav-users@lists.clamav.net" \
target="_blank">clamav-users@lists.clamav.net</a><br> <a \
href="https://lists.clamav.net/mailman/listinfo/clamav-users" rel="noreferrer" \
target="_blank">https://lists.clamav.net/mailman/listinfo/clamav-users</a><br> <br>
<br>
Help us build a comprehensive ClamAV guide:<br>
<a href="https://github.com/vrtadmin/clamav-faq" rel="noreferrer" \
target="_blank">https://github.com/vrtadmin/clamav-faq</a><br> <br>
<a href="http://www.clamav.net/contact.html#ml" rel="noreferrer" \
target="_blank">http://www.clamav.net/contact.html#ml</a><br> </blockquote></div>
_______________________________________________
clamav-users mailing list
clamav-users@lists.clamav.net
https://lists.clamav.net/mailman/listinfo/clamav-users
Help us build a comprehensive ClamAV guide:
https://github.com/vrtadmin/clamav-faq
http://www.clamav.net/contact.html#ml
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic